ICS-CERT: Control System Internet Accessibility

This Alert Update is a follow-up to the original ICS-CERT Alert titled ICS-ALERT-11-343-01 Control System Internet Accessibility published to the ICS-CERT Web site on December 09, 2011, and ICS-ALERT-12-027-01 Increasing Risk to Internet Accessible Control Systems published to the ICS-CERT Web site on January 27, 2012.

This update includes additional activity observed by ICS-CERT related to the threat of Internet accessible control systems devices.

ICS-CERT is tracking and has responded to multiple reports of researchers using SHODAN, Every Routable IP Project (ERIPP), Google, and other search engines to discover Internet facing control systems. ICS-CERT has coordinated this information with the identified control system owners and operators to notify them of their potential vulnerability to cyber intrusion and attack.

When appropriate, ICS-CERT also coordinates with the corresponding sector Information Sharing and Analysis Centers (ISACs) or international CERT/CIRT (Computer Incident Response Team) to notify asset owners. In many instances, the exposed systems were unknowingly or unintentionally configured with potentially unsecure access authentication and authorization mechanisms.

ICS-CERT works with the asset owner/operators and vendor or systems integrators whenever possible to remove any default credentials and secure these systems from attack. In cases where unauthorized access has been identified, ICS-CERT has assisted control system owners and operators with system and firewall data analysis to determine the extent of the intrusion and whether any configuration changes might have been made to the system.

The use of readily available and generally free search tools significantly reduces time and resources required to identify Internet facing control systems. In turn, hackers can use these tools to easily identify exposed control systems, posing an increased risk of attack. Conversely, owners and operators can also use these same tools to audit their assets for unsecured Internet facing devices.

RECENT REPORTS

Internet facing control systems have been identified in several critical infrastructure sectors. The systems vary in their deployment footprints, ranging from stand-alone workstation applications to larger distributed control systems (DCS) configurations. In many cases, these control systems were designed to allow remote access for system monitoring and management.

All too often, remote access has been configured with direct Internet access (no firewall) and/or default or weak user names and passwords. In addition, those default/common account credentials are often readily available in public space documentation. In all cases, ICS-CERT has worked with these organizations to remove default credentials and strengthen their overall security. Recent examples of these are as follows.

• ICS-CERT has recently become aware of multiple systems with default usernames and passwords that are accessible via the Internet. These systems have not been configured securely with common best practices such as being placed behind a firewall or changing documented default credentials. These reports include the Echelon i.LON product that is commonly deployed within ICS devices such as motors, pumps, valves, sensors, etc., which contain a default username and password. This is not an inherent vulnerability, but left unchanged, poses a security risk, especially when configured as Internet accessible. The default username and password should be removed and replaced with a strong username and password configuration, especially when the device is Internet accessible.

• ICS-CERT has released several products concerning weak authentication mechanisms. Weak authentication mechanisms are often difficult to remedy because passwords cannot typically be changed by the user to protect the system. The products below highlight weak authentication vulnerabilities that have been reported to ICS-CERT and patched by the vendor:

ICS-CERT recommends that organizations audit their control systems and apply patches, and follow vendor-recommended security postures and settings.

• In February 2011, independent security researcher Rubėn Santamarta used SHODAN to identify online remote access links to multiple utility companies’ supervisory control and data acquisition (SCADA) systems. Mr. Santamarta notified ICS-CERT for coordination with the vendor and the affected control system owners and operators. Further research indicated that many systems were using default user names and passwords.

• In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. ICS-CERT worked with the Water Sector ISAC and the vendor to notify affected control system owners and operators. Many of those control systems had their remote access configured with default logon credentials.

• In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN. To date, this response has included international partners and approximately 63 other CERTs in the effort to notify the identified control system owners and operators that their control systems/devices were exposed on the Internet.

• In November 2011, another individual claimed to have directly accessed an Internet facing control system. The report indicated that the individual gained access using default username and password. ICS-CERT notified the affected control system owner and advised the owner to disconnect the control system from the Internet and reconfigure the remote access security. ICS-CERT also coordinated with the SCADA vendor to provide the owner detailed instructions for removing the default logon account.

• Currently, ICS-CERT is coordinating the response to several new reports of Internet facing control systems from independent researchers Billy Rios, Terry McCorkle, Joel Langill, and other trusted sources.

When incidents of this nature are reported, ICS-CERT works with the reporting entity, control system owners and operators, vendors, integrators, ISACs, and other U.S. and international CERT/CIRTs to notify the identified entities and help the mitigate their exposure.

MITIGATION

ICS-CERT recommends that control system owners and operators audit their control systems—whether or not they think their control systems are connected to the Internet—to discover and verify removal of any default administrator level user names and passwords. Because each control system installation is unique, owners and operators may need to contact their system vendor or integrator for assistance with locating and eliminating default accounts.

Owners and operators can also perform a comprehensive control system cybersecurity assessment using the DHS Control Systems Security Program (CSSP) Cyber Security Evaluation Tool (CSET). CSET is a free, downloadable, stand alone software tool that is designed to assist owners and operators to:

A CSET fact sheet is available on the CSSP Web page, it explains the self-evaluation process and provides further information and assistance with the tool. The tool can be downloaded online or organizations can contact CSSP to request onsite training and guidance.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.